1VFS_FULL_AUDIT(8)         System Administration tools        VFS_FULL_AUDIT(8)
2
3
4

NAME

6       vfs_full_audit - record Samba VFS operations in the system log
7

SYNOPSIS

9       vfs objects = full_audit
10

DESCRIPTION

12       This VFS module is part of the samba(7) suite.
13
14       The vfs_full_audit VFS module records selected client operations to the
15       system log using syslog(3).
16
17       vfs_full_audit is able to record the complete set of Samba VFS
18       operations:
19           aio_force
20           audit_file
21           brl_lock_windows
22           brl_unlock_windows
23           chdir
24           chflags
25           chmod
26           close
27           closedir
28           connect
29           connectpath
30           create_dfs_pathat
31           create_file
32           disconnect
33           disk_free
34           durable_cookie
35           durable_disconnect
36           durable_reconnect
37           fallocate
38           fchmod
39           fchown
40           fdopendir
41           fget_compression
42           fget_dos_attributes
43           fget_nt_acl_at
44           fgetxattr
45           file_id_create
46           flistxattr
47           fremovexattr
48           fs_capabilities
49           fsctl
50           fset_dos_attributes
51           fset_nt_acl
52           fsetxattr
53           fs_file_id
54           fstat
55           fsync
56           fsync_recv
57           fsync_send
58           ftruncate
59           get_alloc_size
60           get_dfs_referrals
61           get_dos_attributes
62           get_dos_attributes_recv
63           get_dos_attributes_send
64           getlock
65           get_nt_acl
66           get_quota
67           get_real_filename
68           get_shadow_copy_data
69           getwd
70           getxattr
71           getxattrat_recv
72           getxattrat_send
73           is_offline
74           filesystem_sharemode
75           lchown
76           linkat
77           linux_setlease
78           listxattr
79           lock
80           lseek
81           lstat
82           mkdirat
83           mknodat
84           ntimes
85           offload_read_recv
86           offload_read_send
87           offload_write_recv
88           offload_write_send
89           open
90           pread
91           pread_recv
92           pread_send
93           pwrite
94           pwrite_recv
95           pwrite_send
96           read
97           readdir
98           readdir_attr
99           readlinkat
100           realpath
101           recvfile
102           removexattr
103           renameat
104           rewinddir
105           seekdir
106           sendfile
107           set_compression
108           set_dos_attributes
109           set_offline
110           set_quota
111           setxattr
112           snap_check_path
113           snap_create
114           snap_delete
115           stat
116           statvfs
117           streaminfo
118           strict_lock_check
119           symlinkat
120           sys_acl_blob_get_fd
121           sys_acl_blob_get_file
122           sys_acl_get_fd
123           sys_acl_get_file
124           sys_acl_set_fd
125           telldir
126           translate_name
127           unlinkat
128           write
129
130       In addition to these operations, vfs_full_audit recognizes the special
131       operation names "all" and "none ", which refer to all the VFS
132       operations and none of the VFS operations respectively.
133
134       vfs_full_audit records operations in fixed format consisting of fields
135       separated by '|' characters. The format is:
136
137                     smbd_audit: PREFIX|OPERATION|RESULT|FILE
138
139
140       The record fields are:
141
142              •   PREFIX - the result of the full_audit:prefix string after
143                  variable substitutions
144
145              •   OPERATION - the name of the VFS operation
146
147              •   RESULT - whether the operation succeeded or failed
148
149              •   FILE - the name of the file or directory the operation was
150                  performed on
151
152
153       This module is stackable.
154

OPTIONS

156       full_audit:prefix = STRING
157           Prepend audit messages with STRING. STRING is processed for
158           standard substitution variables listed in smb.conf(5). The default
159           prefix is "%u|%I".
160
161       full_audit:success = LIST
162           LIST is a list of VFS operations that should be recorded if they
163           succeed. Operations are specified using the names listed above.
164           Operations can be unset by prefixing the names with "!". The
165           default is none operations.
166
167       full_audit:failure = LIST
168           LIST is a list of VFS operations that should be recorded if they
169           failed. Operations are specified using the names listed above.
170           Operations can be unset by prefixing the names with "!". The
171           default is none operations.
172
173       full_audit:facility = FACILITY
174           Log messages to the named syslog(3) facility.
175
176       full_audit:priority = PRIORITY
177           Log messages with the named syslog(3) priority.
178
179       full_audit:syslog = true/false
180           Log messages to syslog (default) or as a debug level 1 message.
181
182       full_audit:log_secdesc = true/false
183           Log an sddl form of the security descriptor coming in when a client
184           sets an acl. Defaults to false.
185

EXAMPLES

187       Log file and directory open operations on the [records] share using the
188       LOCAL7 facility and ALERT priority, including the username and IP
189       address. Logging excludes the open VFS function on failures:
190
191                   [records]
192                path = /data/records
193                vfs objects = full_audit
194                full_audit:prefix = %u|%I
195                full_audit:success = open opendir
196                full_audit:failure = all !open
197                full_audit:facility = LOCAL7
198                full_audit:priority = ALERT
199

VERSION

201       This man page is part of version 4.16.2 of the Samba suite.
202

AUTHOR

204       The original Samba software and related utilities were created by
205       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
206       Source project similar to the way the Linux kernel is developed.
207
208
209
210Samba 4.16.2                      06/13/2022                 VFS_FULL_AUDIT(8)
Impressum